A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.

Whilst none of the three classes mentioned in the patch appear to be used in any of the OpenDaylight codebase I checked, we do use the Oracle JDBC driver and we do ship impacted versions of jackson-databind, so it is worth updating the dependency.

Statement:
Red Hat Satellite 6 is not affected by this issue, since Candlepin's java runtime environment does not load Oracle's JDBC classes.
Red Hat Virtualization 4 is not affected by this issue, since it does not load Oracle's JDBC classes.